2005 CardSystems Security Breach, Affecting 40 Million Cardholders

You have no doubt heard by now that on Friday June 16th MasterCard reported that a Tucson-based credit card transaction company, CardSystems, experienced a serious security breach in which the account data of 40 million cards had been compromised. Nearly 14 million of those cards were MasterCard-branded cards and 22 million were VISA cards. Other card brands were also affected.

Apparently the breach was discovered May 22nd. It appears that a hacker was able to insert a virus into the computer system that captured customer data.

We believe this news is just the tip of the iceberg. No doubt, considerably more information about the breach will be revealed in the coming days. So far, the banks that issued the affected cards have not contacted cardholders to the best of our knowledge.

What should you do? While this situation indeed represents a major security breach -- the largest of those we've tracked since the mid-February ChoicePoint breach -- we believe consumers should NOT at this time be cancelling card accounts as a preventive measure. It's best to wait for more information to emerge and for banks to contact their customers directly.

MasterCard says that Social Security numbers were not stored in the affected data files. Relatively speaking, that is good news. It means that individuals do not have to be concerned about any new accounts being opened in their names. Rather, the potential for fraud would be restricted to existing accounts. If that scenario holds true, consumers would not need to place fraud alerts on their 3 credit reports.

Remember, cardholders are protected in two ways. First, federal law restricts losses to the first $50 of fraudulent charges, and we know of no financial institutions that have required fraud victims to pay this amount. Doing so would expose them to a public relations nightmare. Second, the major companies such as MasterCard have "zero liability" policies in which they have stated in writing they will not hold cardholders responsible for fraudulent charges.

Here's one thing you can do. If you have online access to your account(s), or if you have automated phone access, you can certainly check your account from time to time, looking for unusual activity. If you notice unauthorized charges, notify the card issuer immediately. But other than that, we advise that the best approach is to wait for official information from your bank and/or from the major companies such as MasterCard.